AdversaryGraph is a self-hosted CTI-to-detection platform. The architecture is intentionally modular: the browser workspace stays separate from the API, database, background workers, MalwareGraph service, and attack-simulation lab fixtures.
The diagrams below are reviewer-facing architecture infographics. They show data flow, trust boundaries, storage responsibilities, and where analyst validation is required.
User BoundaryAnalyst BrowserPrivate workspace UI
HTTPS / local reverse proxy
FrontendReact Frontendnginx static application
/api/*
Backend RuntimeFastAPI BackendAuth, APIs, review workflow, exports
PostgreSQLATT&CK / ATLAS, APTs, TTPs, IOCs, CVEs, assets, users, reports
Redis / JobsBackground sync and worker state
LLM ProvidersClaude, OpenAI, Gemini, MiniMax, local gateway
ObservabilityHealth, request metrics, traces, redacted logs, Prometheus output
Trust boundary: report content is sent only to the LLM provider configured by the operator. The database and logs are operator-controlled in the self-hosted deployment.
Intelligence And Evidence Model
1IngestReports, logs, PCAP-derived text, IOCs, malware findings, asset inventories, and pasted analyst notes.
2ExtractAI-assisted parsing identifies observables, ATT&CK/ATLAS candidates, CVEs, suspicious behavior, and evidence snippets.
3Analyst ReviewAccept, reject, or mark findings as needing evidence. AI output is never treated as final truth by itself.
4OperationalizeNavigator layers, IOC/CVE context, detection backlog, telemetry gaps, PDF reports, JSON, CSV, and STIX exports.
ATT&CK / ATLASTechnique candidates, tactics, evidence, review state
IOCsObservable values, source attribution, enrichment context
CVEsCVSS, KEV, CWE, CPE, evidence links
DetectionTelemetry readiness, backlog, validation gaps
Correlation Model
APT / GroupATT&CK groups, aliases, reports, campaigns
TTP / TechniqueATT&CK / ATLAS technique, tactic, platform, telemetry requirement
IOC / ObservableIP, domain, URL, hash, artifact, source metadata
CVE / VulnerabilityCVSS, KEV, CWE, CPE, affected product, asset exposure
EvidenceReports, campaigns, enrichment feeds, analyst notes, validation output
Correlation rule:source-backed relationships first, enrichment metadata second, optional AI only as a review candidate. Weak or AI-only relationships are not final attribution.
Relationships are source-backed where possible. Weak or AI-only relationships are treated as review candidates, not final truth.
Attack Simulation And SIEM Validation
Analyst selects ATT&CK TTPScenario page explains behavior, telemetry source, event structure, detection focus, and validation gaps.
Lab-Backed Telemetry
Approved Docker FixtureWeb server, endpoint fixture, service target
Real Target LogsNGINX/access/auth/security/error or endpoint fixture telemetry
Real-Time ViewerRun ID, raw line, source, status, client, bytes, event type
AI-Assisted Telemetry Challenge
Coherent Kill ChainOrdered phases, related events, explain-attack output
Source-Shaped EventsWindows Event, Sysmon, EDR, DNS, proxy, WAF, firewall
Parser / Rule DrillValidates SIEM field handling and correlation logic
Collected TelemetrySaved local logs and selected event streams
SIEM ForwardingApproved HTTP collector destination, auth mode, payload format
Detection ReviewParser result, rule hit, missed stages, coverage gaps
Lab-backed logs and AI-generated telemetry are labeled separately. AI telemetry validates parser/rule/correlation handling; it is not proof of exploit execution.
Malware Analysis Boundary
Default WorkflowMalwareGraph-Backed Static Analysis
- Hash and feed checks
- PE/static triage
- Strings and IOC extraction
- Unpacking and deobfuscation hints
- Decompilation/debug-style workspace
- AI behavior and function summaries
Gated BoundaryRuntime / Dynamic Analysis
- Requires explicit isolated runtime profile
- Network and execution controls must be configured by operator
- Runtime claims must be separated from static findings
- AI summaries remain analyst-assistance output
Security And Observability
Authenticated UINative login, viewer/analyst/admin roles, admin panel
Observability DashboardHealth, uptime, latency, traces, redacted log tail, Prometheus metrics
CI ValidationBackend tests, frontend build, docs build, Docker build check
Security ScanningRuff, Bandit SAST, pip-audit, npm audit, Gitleaks, Trivy
Production deployments should use TLS, authentication, network restrictions, private provider keys, backups, retention policy, and external monitoring.